# Lateral movement via WMI
https://attack.mitre.org/techniques/T1047/

## Example Data Source
https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200914080546.html

Let's start by looking for any WMIC activity:

In [1]:
wmic_procs = GET process FROM file:///home/pcoccoli/Data/SecurityDatasets/stix/empire_wmic_add_user_backdoor.json
            WHERE [process:command_line LIKE '%WMIC%']

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,file*,ipv4-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*
wmic_procs,process,1,118,118,175,175,4,2,119,41,9,118,118


We found multiple records of 1 unique process entity.  Let's examine those:

In [2]:
DISP wmic_procs ATTR created, command_line, pid, x_unique_id

created,command_line,pid,x_unique_id
,,9428,
,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}
,"""C:\windows\System32\Wbem\WMIC.exe"" /node:WORKSTATION6 process call create ""net user /add backdoor paw0rd1""",9428,
2020-09-14T12:06:01.826Z,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}
2020-09-14T12:06:01.826Z,"""C:\windows\System32\Wbem\WMIC.exe"" /node:WORKSTATION6 process call create ""net user /add backdoor paw0rd1""",9428,{2d351099-5ca9-5f5f-2f04-000000000400}
2020-09-14T12:06:01.842Z,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}
2020-09-14T12:06:01.858Z,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}
2020-09-14T12:06:01.889Z,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}
2020-09-14T12:06:01.904Z,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}
2020-09-14T12:06:01.967Z,,9428,{2d351099-5ca9-5f5f-2f04-000000000400}


The command line alone gives this one away: `WMIC.exe` is used to create a new process on `WORKSTATION6`.  Let's try to find those processes by looking for the WMI Provider Host (`WMIPrvSE.exe`):

In [3]:
wmiprvse_procs = GET process FROM file:///home/pcoccoli/Hackday/mordor2stix/empire_wmic_add_user_backdoor.json
            WHERE [process:command_line LIKE '%wmiprvse%']

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,file*,ipv4-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*
wmiprvse_procs,process,2,161,282,439,439,4,2,288,83,24,282,282


In [4]:
DISP wmiprvse_procs ATTR created, command_line, pid, x_unique_id

created,command_line,pid,x_unique_id
,,3952,
,C:\windows\system32\wbem\wmiprvse.exe -secured -Embedding,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
,C:\windows\system32\wbem\wmiprvse.exe -secured -Embedding,3952,
,,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.209Z,C:\windows\system32\wbem\wmiprvse.exe -secured -Embedding,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.217Z,,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.235Z,,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.249Z,,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.264Z,,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.295Z,,3952,{83d0c8c3-5caa-5f5f-f002-000000000400}


So it looks like there's 2 instances (hence 2 entities), pids 3952 and 7296.  They both occur after the `WMIC.exe` command we saw; the first timestamp is less than a second later.  We can now try to find the processes created by these 2 instances:

In [5]:
spawned = FIND process CREATED BY wmiprvse_procs

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,file*,ipv4-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*
spawned,process,1,26,306,483,483,4,2,317,88,24,306,306


In [6]:
DISP spawned ATTR created, command_line, pid, x_unique_id, parent_ref.x_unique_id

created,command_line,pid,x_unique_id,parent_ref.x_unique_id
,,7768,,
,net user /add backdoor paw0rd1,7768,,
,net user /add backdoor paw0rd1,7768,{83d0c8c3-5caa-5f5f-f102-000000000400},
,,7768,{83d0c8c3-5caa-5f5f-f102-000000000400},
2020-09-14T12:06:02.311Z,,7768,{83d0c8c3-5caa-5f5f-f102-000000000400},
2020-09-14T12:06:02.316Z,net user /add backdoor paw0rd1,7768,{83d0c8c3-5caa-5f5f-f102-000000000400},{83d0c8c3-5caa-5f5f-f002-000000000400}
2020-09-14T12:06:02.327Z,,7768,{83d0c8c3-5caa-5f5f-f102-000000000400},
2020-09-14T12:06:02.389Z,,7768,{83d0c8c3-5caa-5f5f-f102-000000000400},


We only found 1, but it matches the original `WMIC.exe` command line we found initially.  